How is CVE-2026-49068 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected location. Authentication (not-required): No account, session token, or credential of any kind is needed to trigger the vulnerability. Victim interaction (not-required): The attack is entirely server-side and requires no action from a logged-in user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and places no preconditions on memory layout, timing, or environmental configuration.

What is the impact of CVE-2026-49068?

An attacker reads sensitive subscriber data exposed by the plugin, which may include personal details, affiliate tracking records, or account metadata stored in the WordPress database. Confidentiality impact is rated HIGH, indicating the full scope of accessible subscriber data can be extracted rather than only partial or indirect disclosure. No integrity or availability impact is indicated, so the attacker cannot modify records or disrupt service through this vector alone. Exposed subscriber data can be harvested at scale without rate-limiting from the vulnerability itself, enabling bulk collection across all affected sites.

Back to search

HIGHCVE-2026-49068Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49068: WordPress Coupon Affiliates plugin <= 7.8.1 - Sensitive Data Exposure vulnerability

Q: What is CVE-2026-49068?

This is a sensitive data exposure vulnerability in the Coupon Affiliates WordPress plugin (versions 7.8.1 and below), developed by RelyWP. It is reachable over the network with no authentication required, meaning any internet-connected attacker can trigger it without holding any account or credential. Successful exploitation gives an attacker read access to subscriber-level sensitive data stored or processed by the plugin. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-49068 patched?

No fix version has been published by RelyWP at this time. HarborGuard re-checks the advisory each ingest cycle and, for customers with auto-remediation enabled, will automatically queue a patched-image rebuild and open a PR against affected workloads the moment an upstream fix becomes available.

Subscriber Sensitive Data Exposure in Coupon Affiliates <= 7.8.1 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sensitive data exposure vulnerability in the Coupon Affiliates WordPress plugin (versions 7.8.1 and below), developed by RelyWP. It is reachable over the network with no authentication required, meaning any internet-connected attacker can trigger it without holding any account or credential. Successful exploitation gives an attacker read access to subscriber-level sensitive data stored or processed by the plugin. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built images that bundle this WordPress plugin. Any image found to carry an affected version of Coupon Affiliates is flagged immediately.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each customer organization's own compliance policy, escalating findings to the appropriate team inbox based on configured severity thresholds and per-environment risk rules.

Available

Patch

No fix version has been published by RelyWP at this time. HarborGuard re-checks the advisory each ingest cycle and, for customers with auto-remediation enabled, will automatically queue a patched-image rebuild and open a PR against affected workloads the moment an upstream fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected location.
AuthenticationNot required
No account, session token, or credential of any kind is needed to trigger the vulnerability.
Victim interactionNot required
The attack is entirely server-side and requires no action from a logged-in user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and places no preconditions on memory layout, timing, or environmental configuration.

Blast Radius

An attacker reads sensitive subscriber data exposed by the plugin, which may include personal details, affiliate tracking records, or account metadata stored in the WordPress database.
Confidentiality impact is rated HIGH, indicating the full scope of accessible subscriber data can be extracted rather than only partial or indirect disclosure.
No integrity or availability impact is indicated, so the attacker cannot modify records or disrupt service through this vector alone.
Exposed subscriber data can be harvested at scale without rate-limiting from the vulnerability itself, enabling bulk collection across all affected sites.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49068 is active and matches any image carrying Coupon Affiliates 7.8.1 or earlier. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory and the RelyWP release channel on every ingest cycle. In the interim, customers can apply compensating controls through HarborGuard network policy recommendations, such as restricting public HTTP access to the WordPress installation, applying egress filtering on the container, or using a web application firewall rule to block unauthenticated requests to the affected plugin endpoint. For customers with auto-remediation enabled, a patched-image rebuild, regression test run, and PR against affected workloads will be queued automatically the moment a fix version is published upstream, with a typical median time from CVE patch publication to merged PR of around 90 minutes for high-severity issues.

See how HarborGuard automates this

Affected packages

RelyWP / Coupon Affiliates
≤ 7.8.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified